[Swan] private key matching CKAID not found: can't find the private key matching the NSS CKAID

Sony Arpita Das sonyarpita at gmail.com
Tue Aug 30 15:53:02 EEST 2022 

Hi,

I am trying to setup host-to-host VPN and I get the following message -
 private key matching CKAID '67fc9d0686eeba870eb2c6a7608156b64e0316d0' not
found: can't find the private key matching the NSS CKAID


Here are the steps that I have followed -

Host1 - aqua6 ; test IP - 102.1.1.89
Host2 - aqua4; test IP - 102.1.1.85

On Host1 -
-----------------------------------------------

[root at aqua6 42345]# rm -f /etc/ipsec.d/*db

[root at aqua6 42345]# /usr/sbin/ipsec initnss --nssdir /etc/ipsec.d
Initializing NSS database

[root at aqua6 42345]# /usr/sbin/ipsec newhostkey
Generated RSA key pair with CKAID
a4febfa93fb67078efe3ba5679ccae8adf61c568 was stored in the NSS
database
The public key can be displayed using: ipsec showhostkey --left
--ckaid a4febfa93fb67078efe3ba5679ccae8adf61c568
[root at aqua6 42345]# /usr/sbin/ipsec showhostkey --list
< 1> RSA keyid: AwEAAb4j/ ckaid: a4febfa93fb67078efe3ba5679ccae8adf61c568
[root at aqua6 42345]# /usr/sbin/ipsec showhostkey --left --ckaid
a4febfa93fb67078efe3ba5679ccae8adf61c568
        # rsakey AwEAAb4j/
        leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=


On Host2 -
-----------------------------------------------
[root at aqua4 etc]# rm -f /etc/ipsec.d/*db
[root at aqua4 etc]# /usr/sbin/ipsec initnss --nssdir /etc/ipsec.d
Initializing NSS database

[root at aqua4 etc]# /usr/sbin/ipsec showhostkey --list
[root at aqua4 etc]#  /usr/sbin/ipsec newhostkey
Generated RSA key pair with CKAID 21075ce1a098cfcf82859e1b91e26f530c192bbe
was stored in the NSS database
The public key can be displayed using: ipsec showhostkey --left --ckaid
21075ce1a098cfcf82859e1b91e26f530c192bbe
[root at aqua4 etc]# /usr/sbin/ipsec showhostkey --list
< 1> RSA keyid: AwEAAbhUg ckaid: 21075ce1a098cfcf82859e1b91e26f530c192bbe
[root at aqua4 etc]# /usr/sbin/ipsec showhostkey --right --ckaid
21075ce1a098cfcf82859e1b91e26f530c192bbe
        # rsakey AwEAAbhUg

rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh


ipsec.conf on Host1
-----------------------------------------------
[root at aqua6 ~]# cat /etc/ipsec.conf
config setup
    plutodebug=private
    plutostderrlog=/var/log/openswan.log


conn mytunnel
    leftid=@aqua6.blr.asicdesigners.com
    left=102.1.1.85

leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
   rightid=@aqua4.blr.asicdesigners.com
    right=102.1.1.89

rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh
    rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe

    authby=rsasig
    phase2alg=aes_gcm128
    type=transport
    auto=add

ipsec.conf on Host2
-----------------------------------------------
[root at aqua4 ~]# cat /etc/ipsec.conf
config setup
    plutodebug=private
    plutostderrlog=/var/log/openswan.log


conn mytunnel
    leftid=@aqua6.blr.asicdesigners.com
    left=102.1.1.85

leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
    rightid=@aqua4.blr.asicdesigners.com
    right=102.1.1.89

rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh
    authby=rsasig
    phase2alg=aes_gcm128
    type=transport
    auto=add


Setting tunnel on Host1 and Host 2
-----------------------------------------------
[root at aqua6 ~]# systemctl stop ipsec
[root at aqua6 ~]# systemctl start ipsec
[root at aqua6 42345]# /usr/sbin/ipsec setup start
Redirecting to: systemctl start ipsec.service
[root at aqua6 42345]# /usr/sbin/ipsec auto --add mytunnel
002 "mytunnel": terminating SAs using this connection
002 "mytunnel": added IKEv2 connection

[root at aqua4 etc]# systemctl stop ipsec
[root at aqua4 etc]# systemctl start ipsec
[root at aqua4 etc]# /usr/sbin/ipsec auto --add mytunnel
002 "mytunnel": terminating SAs using this connection
002 "mytunnel": added IKEv2 connection
[root at aqua4 etc]# /usr/sbin/ipsec auto --up mytunnel
181 "mytunnel" #1: initiating IKEv2 connection
181 "mytunnel" #1: sent IKE_SA_INIT request
003 "mytunnel" #1: private key matching CKAID
'a4febfa93fb67078efe3ba5679ccae8adf61c568' not found: can't find the
private key matching the NSS CKAID
036 "mytunnel" #1: encountered fatal error in state STATE_V2_PARENT_I1
002 "mytunnel" #1: deleting state (STATE_V2_PARENT_I1) aged 0.006793s and
NOT sending notification
002 "mytunnel" #1: deleting IKE SA but connection is supposed to remain up;
schedule EVENT_REVIVE_CONNS

[root at aqua4 ~]# ipsec version
Linux Libreswan 4.5 (XFRM) on 4.18.0-372.9.1.el8.x86_64

[root at aqua6 ~]# ipsec version
Linux Libreswan 4.5 (XFRM) on 4.18.0-372.9.1.el8.x86_64
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220830/f2df43f0/attachment.htm>

More information about the Swan mailing list